POLICY TITLE: Enterprise Password
POLICY #: IT - 05
DATE DRAFTED: 03/20/2002
DATE POSTED for Review: 11/04/02
APPROVED DATE: 05/01/01
REVISION DATE: 02/27/04 (Enterprise Password V2-3)
BRIEF DESCRIPTION: Defines institutionally approved rules when using passwords for authentication.
Introduction | Policy Statement | Password Standards | Related Policies | IT Policy Index
Many computer systems and applications at the University of Iowa use a login ID and password as the method of authenticating users. As the university moves toward a single-sign-on environment, when entry of a single login ID and password will authenticate you to multiple systems, robust passwords provide a major defense against unauthorized use of our systems.
The object when choosing a password is to make it as difficult as possible for anyone to make an educated guess about what you've chosen. You can protect your own files and University resources by choosing a good password, changing it regularly, and never sharing it with others.
This policy applies to all information technology systems and processes at The University of Iowa that create, modify, or use information that is private/confidential or of significant institutional value. All such systems will adhere to the minimum acceptable standards, as described below.
System administrators may choose to implement these standards with a combination of technological controls and local practice. Policies and/or standards adopted by a college or administrative unit must be consistent in principle with this University policy, but may provide additional detail, guidelines or restrictions.
-
A unique user identifier and password is issued for each user of the system.
-
User-initiated password changes must be supported.
-
Sharing of individual account passwords is not appropriate. This does not apply to generic group accounts, where the password is managed within a work group.
-
A password must be changed if you share it in the course of getting help with a problem, or if you believe someone has used your account or may have seen or captured your password.
-
Passwords should be changed at significant events or changes of status, such as a semester change. All passwords should be changed at least twice in a calendar year.
-
Administrator intervention is required to reset/change passwords that are forgotten, corrupted, or otherwise unknown to the user. Alternatively, an institutionally approved challenge-response self service application may be used.
-
Proof of identity for password resets may be:
-
A secret key or satisfactory answers about personal information held in central database records
-
Department, supervisor, or liaison identification
-
A photo ID or human factor such as a biometric scan
-
Satisfactory challenge-responses in a self service application
-
Accounts will be restricted from logins if the administrator cannot identify the user with one of these methods, until a positive verification can be made
-
-
Administrator and other high-level access passwords will be changed more frequently than non-administrator passwords, from four to six times per year.
-
A minimum of one previously used password will be checked at change time to prevent reuse.
-
Passwords must be stored in a hashed/encrypted format, and will be transmitted over open networks in an encrypted format.
-
Password strength tests and/or controls (e.g., alpha-numerics, dictionary tests) will be employed to ensure that robust passwords, at least 6 characters in length, are used.
Related Policies, References and Attachments:
This collection of University of Iowa Information Technology policies and procedures contain acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Operations Manual (http://www.uiowa.edu/~our/opmanual/index.html) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://www.uiowa.edu/~our/opmanual/ii/19.htm)